Attack of the BlackNurse: How to disable the firewall using a laptop and ICMP

DoS attacks do not always require large-scale botnets. Information security researchers described the BlackNurse attack, during which with a single laptop you can turn off firewalls of popular manufacturers.

What is the problem

Danish researchers from the SOC (Security Operations Center) department of a TDC telecom operator described the BlackNurse attack, which is implemented using the ICMP request feature of popular firewalls.
')
In the text of the published study, the authors write that they encountered a problem when developing their own solutions to combat DoS - in some cases, despite the small amount of incoming traffic and a small number of received packets, the overall network speed slowed down. The effect was observed even for large corporate customers with channels with high bandwidth and using expensive equipment from well-known vendors.

The attack uses ICMP Type 3 messages “unreachable” - in particular, the ICMP Type 3 Code 3 message “port unreachable”. With them, you can overload the firewall processor, which leads to denial of service. According to the experimental data, using a single laptop using a similar method, you can carry out an attack with a capacity of 180 Mbps.

The publication of TDC experts does not say why these packets consume so much CPU-time firewalls, but security expert SANS Technology Institute Hans Ulrich suggested that the firewall attempt might be to conduct stateful packet analysis, which requires a lot of resources.

“At different firewalls, the load increased in any case. In the process of launching an attack, LAN users behind the firewall lost the ability to send and receive traffic to and from the Internet, after the attack stopped, the operability was restored, ”the researchers write in their document.

According to TDC experts, the following products are vulnerable:

• Cisco ASA 5506, 5515, 5525 (using standard settings)
• Cisco ASA 5550 (legacy) and 5515-X (latest generation)
• Cisco Router 897 (attack can be repelled)
• SonicWall (problem solved by changing the standard configuration)
• some palo alto
• Zyxel NWA3560-N (wireless attack from the LAN)
• Zyxel Zywall USG50

Firewalls running through iptables are not subject to attack.

How to protect

You can find out if a particular system is vulnerable by allowing ICMP on the WAN side of the firewall and performing a test using Hping3 while simultaneously trying to connect to the Internet from the network. You can use the following hping3 commands:

hping3 -1 -C 3 -K 3 -i u20 <target ip> hping3 -1 -C 3 -K 3 --flood <target ip> 

The researchers also introduced the SNORT IDS rule for detecting BlackNurse attacks:

 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"TDC-SOC – Possible BlackNurseattack from external source "; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"TDC-SOC –Possible BlackNurse attack from internal source"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;) 

To minimize the risks can be used in various ways. In particular, experts recommend setting up a list of trusted resources on the firewall, from which ICMP packets are received. In addition, it makes sense to disable ICMP Type 3 Code 3 on the WAN side.

Cyber ​​attacks can be difficult to prevent, large-scale leaks can be prevented, and the consequences of information security incidents can be mitigated by using specialized means of protection - for example, using the MaxPatrol SIEM software and hardware complex.

With the help of MaxPatrol SIEM, you can analyze data obtained from ME, IPS \ IDS systems or collected by your own Network Sensor agent - this allows you to detect and signal attacks like BlackNurse in time. At the same time, a high-quality implementation of SIEM makes it possible to achieve that once having described the logic of the specific attack's surroundings, the system will be able to detect all attacks of this class, both outside the perimeter and inside on the often extremely complex hierarchically heterogeneous infrastructures.

You can learn about the theory and practice of implementing and operating SIEM systems using the example of MaxPatrol on November 17 at 2:00 pm at the free webinar of Vladimir Bengin, head of sales support department at SIEM.

Register for the webinar here